Why Malevolent Hackers Are Targeting Energy Grids

Microsoft has identified a trend of hackers exploiting decades-old IoT devices to hack energy grids.

By Kari Apted | Published

energy grid hackers power grid 2

In an ongoing battle to stay ahead of malicious hackers, Microsoft announced on Tuesday that they discovered a flaw that energy grid hackers were using to their advantage. A vulnerability in decades-old Internet of Things (IoT) devices allowed hackers to target and infiltrate energy sector organizations. Microsoft’s analysis showed that the security threat could lead to serious supply chain risks.

TechCrunch says the problem is a vulnerable open-source component in the Boa web server. This open-source small-footprint web server was discontinued in 2005 but it’s still used in certain areas, primarily in India. It widely appears in a variety of routers, security cameras and software development kits (SDKs), leaving them open to attack by energy grid hackers.

According to TechTarget, the Internet of Things is defined as “a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” Therefore, a “thing” in the IoT system could be a vehicle with built-in sensors, a farm animal with a biochip transponder or a person with a heart monitor implant. These things are assigned an Internet Protocol (IP) address and can transfer data over a network, which allows organizations to operate more efficiently.

A suspected Indian electric grid intrusion occurred last April when Chinese state-sponsored energy grid hackers used IoT devices to enter operational technology (OT) networks. These networks are used in the monitoring and controlling of physical industrial systems. In October, one of India’s top power companies, Tata Power, confirmed another cyberattack.

The Tata Power breach led to the Hive ransomware group making public the publishing data it stole during its cyberattack on the Indian power giant. Some of the information leaked included engineering drawings and private keys. Client records, sensitive employee information and financial and banking records were also exposed by the energy grid hackers.

Over a one-week period, Microsoft identified one million Boa server components that had been internet-exposed in just that week. They warned that the vulnerability poses a “supply chain risk that may affect millions of organizations and devices.” Microsoft added that energy grid hackers continue to attempt to exploit Boa’s flaws which include a “high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833).”

Microsoft also said that this type of vulnerability allows attackers to collect network asset information before even initiating their attacks. By obtaining valid credentials, the energy grid hackers can access the network undetected. This process allows the attackers to create a much bigger impact once they initiate the actual attack.

“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector,” Microsoft said. They also warned that mitigating Boa flaws is tricky because of the popularity of the now-defunct web server. Another difficulty is presented by the complexity with which it’s built into the IoT device chain.

Microsoft suggested in their report that network operators and organizations follow certain measures to identify vulnerable components used by energy grid hackers. These recommendations include patching vulnerable outdated devices whenever possible, eliminating unnecessary connections to IoT devices in the network, and using proactive antivirus scanning tools to identify potentially malicious device payloads.

Additionally, the company suggested using a comprehensive IoT and OT solution such as Microsoft Defender for IoT. This will enable organizations to better monitor their devices and respond to threats presented by energy grid hackers. This measure will also increase visibility so that it’s easier to detect and alert when IoT devices with Boa are being used by hackers to enter a network.